DragonEX Incident Investigation Report: Tracking the Stolen $6M (USD) Asset Movements
In the morning of 03/24 Beijing time, the DragonEX exchange announced that digital assets was stolen from their platform, and asked for help to track and intercept the hackers. In the report, DragonEX mentioned that more than 20 crypto currencies was stolen, including BTC, ETH, EOS, etc. The total value of the stolen tokens was not revealed, but after some initial analysis, we found that this incident ranked among the top blockchain hacking events in terms of total value and token types.
After receiving the DragonEX warning, PeckShield team started immediately to analyze the attack procedure, and retrace the stolen asset movements. Utilizing the PeckShield Digital Asset Protection System, we found that overall there are $6,028,283 digital asset was lost, $929,162 of them have been moved into other exchanges, and tokens worth $5,099,121 still remain in the hacker’s wallet addresses.
After initial analysis, PeckShield researchers found that, most likely the hackers managed to steal the private keys of DragonEX wallets, obtained server API access illegally, then moved the digital assets out from DragonEX platform. The hackers’ stealing and money laundering operations can be divided into two phases:
- Token stealing phase: From Beijing time 1AM to 8AM on 03/24, the hackers moved 20+ types of digital assets from DragonEX to their own addresses, including BTC, ETH, EOS, etc.
- Money laundering phase: Starting from 03/26 till now, the hackers have move $929,162 worth of tokens into various exchanges, which could have been sold already; There are $5,099,121 worth of tokens still in the hackers addresses, could be moved to exchanges soon, if not intercepted by exchanges or other parties.
The Timeline of this hacking incident
Using blockchain data, PeckShield researchers created the following table to show the timeline of this incident:
The Detailed list of the stolen tokens
The Detailed Analysis of the hacking procedure
Let’s use USDT and TRON as examples to analyze the procedure of hacker’s coin stealing:
The following diagram shows the movements of USDT tokens into hackers addresses:
- At 2:42:54 of 03/24/2019, Large amount of USDT tokens were moved from DragonEX address 1QBaDdhCTC2k9WWFhCXCJvYHpVSqLSRxaJ to these six addresses:
a. 1P4cdD9kTFGV6wmFxbeoZXosRNUrMrMbmN 273,597 USDTs；
b. 1JBoGBv7GnqN6ncEi9aSU71gobcMG9R1Ca 222,738 USDTs；
c. 114F7vWREusZTRGcEZGoTAuhWvq8T5tzxR 238,652 USDTs；
d. 1HapWDybdWW1H61saGokQ88xVaHvfukgu2 240,971 USDTs；
e. 17gqLwmBxdmKEP8vaBEn2ghHvj4vqCiR6q 240,971 USDTs；
f. 1B6t6RnVMpTQKhbXsr8hNB3DiyXSSkomkU 247,390.31777 USDTs；
2. After receiving the USDT tokens, these six addresses moved the USDTs into several exchanges by doing multiple layers of transfers. Here is the current status of these USDTs located by PeckShield researchers:
a. After several transfers, finally 330,031 USDTs were moved to CoinBene address 1HCviLYNqHAyeZxGTj9Mtgvj1NJgQuSo91 through these two addresses: 1GirA64XdJjH6HHzgH7Tj5WoBmyH5Z3wjn and 1CdbfukQ1JsJK5csqYGonP1mDp3hVyePc3；
b. Also after several transfers, 245,429 USDTs were moved to KuCoin address 17ScKNXo4cL8DyfWfcCWu1uJySQuJm7iKC through this address: 1AEJpcgLUrMyqz3iPAF3ETozwV3PaZkjGo；
c. 208,127 USDTs were moved to a unknown exchange address: 1DUb2YYbQA1jjaNYzVXLZ7ZioEhLXtbUru；
d. 140,666 USDT stayed in 1J3tVZrmQFiH2R8fCsGab7AfWVKh6wHTQ6；
e. After several transfers, 135,282 USDTs were moved to BitForex address 12vCxak5xc1t6T275xbm6AJ4xsZCxkTSc5 through these two addresses: 1CNwEPguYVUhziMEiCe1PKKSHv2Ur5B1KC and 1CNuTqmJcwfyWKdtuqhitUL4pewWcPJuzf；
f. After several transfers, 126,994 USDTs were moved to 135gVHBkLUidwpd6va9eZyECGVLCek2z4y；
g. The remaining 277,790 USDTs stayed in several accounts.
The following diagram shows the movements of TRON tokens:
Detailed procedures as follows:
- On 03/24/2019, 1,453,956 TRXs were moved from DragonEX address TPTwvsifK6EiQ1mm6b4eEQAcammL5215g6 to address TJeMF6CpEDeG94UAF7d4dzjXkgrwwtDGFB；
Between 03/24/2019 to 03/26/2019, No movement for the TRXs tokens in address of TjeM…DGFB；
- From 9AM-10AM on 03/26/2019, TRX tokens were moved from TJeM…DGFB to six new addresses, then again the TRX tokens were moved from these six addresses to TR8T47ouBgr7V2ssDjDaz9PJ7JaPH3kwrR. PeckShield researchers determined that TR8T…kwrR address belong to Binance；
- Till this point all 1,453,956 TRX tokens were moved into Binance
During this DragonEX hacking incident, the hackers stole almost all of the digital assets on DragonEX platform in a short period of time, and moved some tokens into other exchanges quickly for money laundering purpose. However, most of the stolen tokens are still in the hacker’s addresses, and it’s still possible to freeze these assets if the community and exchanges can work together to stop further token transfers.
Above all, hacking events threaten the safety of users’ digital assets, and we at PeckShield would like to call on exchanges to improve their risk mitigation capability, and ask help from professional blockchain security firms when needed.
PeckShield Inc. is a leading blockchain security company with the goal of elevating the security, privacy, and usability of current blockchain ecosystem. For any business or media inquiries (including the need for smart contract auditing), please contact us at telegram, twitter, or email.